Learning Encryption...

[Sarlecc]

This thread is an exercise to learn more about encryption and improve my experiments the purpose is not to make a solid JavaScript encryption method. Anyway my latest experiment involves a dual pass method, a string and a number. The string pass can take virtually any character (giving it thousands of options for just a single character). The number can be any number in JavaScript (including negative and floating point numbers).

function encrypt(str, en, num) {
        var str2 = '', c1;
        for (let i = 0; i < str.length; i++) {
            c1 = str.charCodeAt(i);
            for (let p = 0; p < en.length; p++) {
                c1 = c1 + en.charCodeAt(p) - num;
            }
            str2 += String.fromCharCode(c1);
        }
        return str2;
    };

    function decrypt(str, en, num) {
        var str2 = '', c1;
        for (let i = 0; i < str.length; i++) {
            c1 = str.charCodeAt(i);
            for (let p = 0; p < en.length; p++) {
                c1 = c1 - en.charCodeAt(p) + num;
            }
            str2 += String.fromCharCode(c1);
        }
        return str2
    };

The decrypt function can also be used to encrypt and the encrypt function to decrypt. Now while my description above might sound like this is a good method for encryption it has at least one major flaw. Assuming one knows the number one could potentially figure out a password that works.

var string = encrypt('Hello World', 'b1', 900);
//=> "陸藺立立狀嶺梨狀什立璘"

decrypt(string, 'c0', 900);
//=> "Hello World"

As you can see the passwords do not match in this case but it still decrypts the string successfully. Granted this is harder to pull off with longer passwords but it is still possible. I am interested to see how the above functions could be improved (namely to remove the aforementioned flaw).

Spoiler: Here is something you can try to decrypt if you want to try your hand at it

""

Yes this actually does decrypt into an actual sentence.

Spoiler: Number code

-289110
Try doing it without using the pass though. (>_<)

Spoiler: password

""

 

[Sarlecc]

So after studying my method of encryption, I realized that the problem is the simple arithmetic that it was using. Assuming that the end result number for a character is say 5 there are many different combinations that may be used to achieve the desired result (1 + 4, 2 + 3, etc). So to fix this I use left shift on even numbers and right shift on odd numbers. This greatly improved the encryption to the point where I had to start logging numbers to figure out how close certain characters were getting me to the required result. After awhile I was able to break it again by changing the number pass to a decimal. Once again this was an easy fix of just rounding the number. So now:

var string = encrypt('hello world', 'b1', 900)
"屮塀懲懲暑林碑暑渚懲器"

decrypt(string, 'ob', 916)
//result numbers are 1 higher
"ifmmp!xpsme"

decrypt(string, 'ob', 915)
//result numbers are 1 lower
"gdkknvnqkc"

//without rounding the number pass
decrypt(string, 'ob', 915.5)
"hello world"

These results look promising; however there may still be the possibility that there exists a solution for breaking the encryption besides the proper passes.

Spoiler: New code for above results:

    function encrypt(str, en, num) {
        var str2 = '', c1, c2;
        for (let i = 0; i < str.length; i++) {
            c1 = str.charCodeAt(i);
            for (let p = 0; p < en.length; p++) {
                c2 = en.charCodeAt(p);
                c2 = c2 % 2 === 0 ? c2 << 1 : c2 >> 1;
                c1 = c1 + c2 - Math.round(num);
            }
            str2 += String.fromCharCode(c1);
        }
        return str2;
    };

    function decrypt(str, en, num) {
        var str2 = '', c1, c2;
        for (let i = 0; i < str.length; i++) {
            c1 = str.charCodeAt(i);
            for (let p = 0; p < en.length; p++) {
                c2 = en.charCodeAt(p);
                c2 = c2 % 2 === 0 ? c2 << 1 : c2 >> 1;
                c1 = c1 - c2 + Math.round(num);
            }
            str2 += String.fromCharCode(c1);
        }
        return str2
    };

I would like to know if anyone can spot anymore potential ways to break the encryption without using the proper passes.

 

[ldd]

The first rule of crypto is to never use your own crypto.

It's JS land. You could use, crypto-js[0], or any of a multitude of simple encoders that have been used before, and might be very fast and at least somewhat secure.

Math.random() itself has been shown to be not-cryptographically secure under certain conditions.[1]
You could use `crypto.getRandomValues` instead.


[0] https://github.com/brix/crypto-js
[1] https://stackoverflow.com/questions/5651789/is-math-random-cryptographically-secure

 

[Sarlecc]

I am aware of Crypto (I actually switched to this in a new unreleased version of ExEngine meaning you can use things like aes and sha).
Basically I am just experimenting with creating my own encryption algorithm to see what I can come up with and for fun. (My attempts will probably not beat proven methods for encryption).

Thanks for linking to the stack over flow question though gonna have some reading to do tomorrow.